USB in Locked PC Triggers Denial-of-Service Attack

The latest news from Bitdefender researcher Marius Tivadar – that a vulnerability in the way Windows handles NTFS file system image can trigger a blue screen of death – is not surprising. Fixes to blue screen errors in issues associated with NTFS.SYS have been released in the past.

Tivadar published his proof-of-concept (PoC) code on GitHub, in which he was able to execute the denial-of-service (DoS) attack by using a handcrafted NTFS image. The attack “can be driven from user mode, limited user account or Administrator,” wrote Tivadar. “It can even crash the system if it is in in locked state.”

Stored on a USB thumb drive that was inserted in a Windows PC, the NTFS image crashed the system within seconds. It’s worth noting that the PoC is not malware but a malformed NTFS file.

In July 2017, Tivadar reported the DoS attack to Microsoft and included the forged 10MB NTFS image that would crash Windows 7 and Windows 10 systems. He also included a PoC video.

Addressing the impact of the issue, Tivadar wrote, “Auto-play is activated by default, this leads to automatically crashing the system when usb is inserted. Even with auto-play disabled, system will crash when the file is accessed.”

The researcher reported that he strongly believed the behavior should be changed in large part because of the alarming discovery that an attacker could insert the USB stick and cause the system to crash while the computer is locked.

“Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine,” Tivadar wrote.

Despite his plea, the final email response he received said, “Your report requires either physical access or social engineering, and as such, does not meet the bar for servicing down-level (issuing a security patch).”

At the time the vulnerability was disclosed, Microsoft said it did not want to assign a CVE to it, according to Tivadar. It did, however, write, “Your attempt to responsibly disclose a potential security issue is appreciated and we hope you continue to do so.” And apparently Microsoft has come around and is reported to have issued a fix for the Windows 10 vulnerability.